Encryption at rest and transparent data encryption

by Shih Huei Tan, Solution Engineer at Privitar

 
Data encryption is a way of protecting your important data from hackers, criminals, or sometimes intended recipients who may want to use the information for malicious purposes. This involves the scrambling of data, such as passwords, credit card numbers or messages, into a string of unintelligible text called a ciphertext. One of the earliest recorded uses of this technique was in the Roman Empire, where Julius Caesar came up with the idea of moving the last three characters of the alphabet to the beginning.

By doing this, a normal message that might have been “ATTACK FROM THE NORTH” would appear as “XQQXZH COLJ QEB KLOQE.” The intention behind this text scrambling was to be able to safely send messages between his troops in battle in the hopes that if those messages ever got stolen or intercepted by the enemy, they would not understand the true message.

While this may have worked well for the Roman Empire back then, such methods are inadequate in today’s world — now more sophisticated techniques are required to protect your data. Encryption today is usually achieved through a mathematical algorithm to convert the plain text into a ciphertext; this is generally referred to as an encryption key. It is also possible to use the key to reverse the ciphertext to its original text so that the message can be read and processed by the recipient.

Two ways to perform data encryption 

Symmetric encryption: A single key is used to encrypt and decrypt the information. This means that the key is shared with those who are authorised to access the information.
Asymmetric encryption: Information is encrypted and decrypted using two separate keys — the public key and the private key. Because the public-key can be requested by the sender and is easily obtainable, it is only used to encrypt the information. The ciphertext is then decrypted using a private key. These two keys are mathematically related.

When to protect sensitive data

Sensitive data usually needs to be protected in two states: while it is being transmitted between two points (in transit) or when it is being stored (at rest). An example of data in transit can occur when customers are making online purchases and need to send their order from their laptops together with sensitive information, such as their names, contact information, and credit card details over the internet to the merchant’s server.

This is inherently dangerous because the information could be intercepted along the way and exposed. Some examples of encrypting data in transit include Hypertext Transfer Protocol Secure (HTTPS) which uses Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt the data or Secure File Transfer Protocol (SFTP), which is a file protocol for transferring large files over the web (built on the Transfer Protocol (FTP) and includes Secure Shell (SSH) security components) and is also known as Secure Shell (SSH) File Transfer Protocol.

Data also needs to be protected when it is being stored on a computer system; this is considered data at rest. We don’t just need to protect sensitive information when it is in transit, but also while it is at rest. This can mean encrypting individual files and tables before storing them or encrypting the entire storage drive. Encrypting the data this way protects the information against an unauthorised person (perhaps a hacker or an internal employee who wishes to misuse the data) who gains access to the system because data encryption renders that sensitive data unreadable — and therefore useless.

Data encryption techniques

One of the primary techniques to protect data at rest is called Transparent Data Encryption or TDE. This is typically used in database systems to secure data either on the table or column level and allows authorised applications to transparently decrypt the data when required. It is generally designed such that the application does not need to be specially modified to handle the encryption and decryption process when accessing the data — as long as it has sufficient privileges to do so.

Using the same online retail example as I did earlier, once the order information from the customer has been securely sent over the network, it will be encrypted and stored on a database in the server.  When it is time to fulfill the order for the customer, the application must be able to decrypt the data so that the information can be processed and encrypted again once completed. This seamless operation can be achieved using Transparent Data Encryption on the database system.

Protect sensitive data

I hope that this helps to show how data encryption is a powerful way that can be used to protect information while it is at rest and stored on a computer. Encryption can also be used to protect information as it is being sent from one point to another, typically between computer systems over the network. Encrypting your data prevents important information from being compromised in case it falls into the wrong hands.

Read Data Privacy 101: Guide to De-Identification – Download now.